Summary: | <dev-lang/python-{2.7.18,3.6.10-r2,3.7.7-r2,3.8.2-r2,3.9.0_alpha5-r1}: Python allows an HTTP server to conduct ReDoS attacks against a client (CVE-2020-8492) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | filip ambroz <filip.ambroz> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | mgorny, python |
Priority: | Normal | Flags: | nattka:
sanity-check-
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugs.python.org/issue39503 | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=718588 https://bugs.gentoo.org/show_bug.cgi?id=728668 |
||
Whiteboard: | A3 [glsa+ cve] | ||
Package list: |
dev-lang/python-2.7.18
dev-lang/python-3.6.10-r2
dev-lang/python-3.7.7-r2
dev-lang/python-3.8.2-r2
|
Runtime testing required: | --- |
Description
filip ambroz
2020-02-01 22:41:12 UTC
CVE-2020-8492 (https://nvd.nist.gov/vuln/detail/CVE-2020-8492): Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. So apparently 3.8.2 is the only good version now. Hmm, no, apparently the CVE didn't account for 3.8.2. Upstream did not merge a fix yet ;-/. (In reply to Michał Górny from comment #3) > Hmm, no, apparently the CVE didn't account for 3.8.2. Upstream did not > merge a fix yet ;-/. Patched in 2.7.18: https://github.com/python/cpython/commit/e6499033032d5b647e43a3b49da0c1c64b151743 3.6: https://github.com/python/cpython/commit/69cdeeb93e0830004a495ed854022425b93b3f3e 3.7: https://github.com/python/cpython/commit/b57a73694e26e8b2391731b5ee0b1be59437388e 3.8: https://github.com/python/cpython/commit/ea9e240aa02372440be8024acb110371f69c9d41 master (3.9?): https://github.com/python/cpython/commit/0b297d4ff1c0e4480ad33acae793fbaf4bf015b4 PR: https://github.com/python/cpython/pull/18284 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4d0962541c4227d11c9fbcc5373104676680859f commit 4d0962541c4227d11c9fbcc5373104676680859f Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-04-22 12:20:35 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-04-22 13:32:28 +0000 dev-lang/python: Backport secfixes to 3.9.0a5, redo patchset Bug: https://bugs.gentoo.org/707822 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 2 + dev-lang/python/python-3.9.0_alpha5-r1.ebuild | 329 ++++++++++++++++++++++++++ 2 files changed, 331 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d24d55c6519197b1f7f70c9233aac9d06823a0cc commit d24d55c6519197b1f7f70c9233aac9d06823a0cc Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-04-22 12:16:04 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-04-22 13:32:26 +0000 dev-lang/python: Backport secfixes to 3.8.2, redo patchset Bug: https://bugs.gentoo.org/707822 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 2 +- dev-lang/python/python-3.8.2-r2.ebuild | 348 +++++++++++++++++++++++++++++++++ 2 files changed, 349 insertions(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=84738a6394aa497ed0cc14c1cca27cf2f3a42030 commit 84738a6394aa497ed0cc14c1cca27cf2f3a42030 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-04-22 12:11:25 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-04-22 13:32:25 +0000 dev-lang/python: Backport secfixes to 3.7.7, redo patchset Bug: https://bugs.gentoo.org/707822 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.7.7-r2.ebuild | 345 +++++++++++++++++++++++++++++++++ 2 files changed, 346 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f79755dbf44b79c2f5b99e9f3258b656d2d99ebb commit f79755dbf44b79c2f5b99e9f3258b656d2d99ebb Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-04-22 11:57:16 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-04-22 13:32:24 +0000 dev-lang/python: Backport secfixes to 3.6.10, redo patchset Bug: https://bugs.gentoo.org/707822 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.6.10-r2.ebuild | 359 ++++++++++++++++++++++++++++++++ 2 files changed, 360 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ca57e96ecbcd060e4f70aa24ccd83470ccb8a434 commit ca57e96ecbcd060e4f70aa24ccd83470ccb8a434 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-04-22 11:33:10 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-04-22 13:32:23 +0000 dev-lang/python: Bump to 2.7.18 Bug: https://bugs.gentoo.org/707822 Closes: https://bugs.gentoo.org/716332 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 2 + dev-lang/python/python-2.7.18.ebuild | 366 +++++++++++++++++++++++++++++++++++ 2 files changed, 368 insertions(+) amd64 stable arm stable x86 stable arm64 stable s390 stable ppc stable ppc64 stable This issue was resolved and addressed in GLSA 202005-09 at https://security.gentoo.org/glsa/202005-09 by GLSA coordinator Thomas Deutschmann (whissi). Re-opening for cleanup and remaining architectures. @hppa, sparc: ping sparc stable hppa stable @maintainer(s), please cleanup Cleanup was done here. Unable to check for sanity:
> no match for package: dev-lang/python-2.7.18
|